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[115H4036] 


(Original Signature of Member) 


116th CONGRESS 
1st Session 


H.R. 


To amend title 18, United States Code, to provide a defense to prosecution 
for fraud and related activity in connection with computers for persons 
defending against unauthorized intrusions into their computers, and for 
other purposes. 


IN THE HOUSE OF REPRESENTATIVES 


Mr. Graves of Georgia introduced the following bill; which was referred to 
the Committee on 


A BILL 

To amend title 18, United States Code, to provide a defense 
to prosecution for fraud and related activity in connec¬ 
tion with computers for persons defending against unau¬ 
thorized intrusions into their computers, and for other 
purposes. 

1 Be it enacted, by the Senate and House of Representa- 

2 tives of the United States of America in Congress assembled, 

3 SECTION 1. SHORT TITLE. 

4 This Act may be cited as the “Active Cyber Defense 

5 Certainty Act”. 
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1 SEC. 2. CONGRESSIONAL FINDINGS. 

2 Congress finds the following: 

3 (1) Cyber fraud and related cyber-enabled 

4 crimes pose a severe threat to the national security 

5 and economic vitality of the United States. 

6 (2) As a result of the unique nature of 

7 cybercrime, it is veiy difficult for law enforcement to 

8 respond to and prosecute cybercrime in a timely 

9 manner, leading to the existing low level of cleter- 

10 rence and a rapidly growing threat. In 2017, the De¬ 
ll partment of Justice prosecuted only 165 cases of 

12 computer fraud. Congress determines that this sta- 

13 tus quo is unacceptable and that if left unchecked, 

14 the trend in cybercrime will only continue to deterio- 

15 rate. 

16 (3) Cybercriminals have developed new tactics 

17 for monetizing the proceeds of their criminal acts, 

18 making it likely that the criminal activity will be fur- 

19 ther incentivized in the absence of reforms to cur- 

20 rent law allowing for new cyber tools and deterrence 

21 methods for defenders. 

22 (4) When a citizen or United States business is 

23 victimized as the result of such crime, the first re- 

24 course should be to report the crime to law enforce- 

25 ment and seek to improve defensive measures. 
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1 (5) Congress also acknowledges that many 

2 cyberattacks could be prevented through improved 

3 cyber defensive practices, including enhanced train- 

4 ing, strong passwords, and routine updating and 

5 patching to computer systems. 

6 (6) Congress determines that the use of active 

7 cyber defense techniques, when properly applied, can 

8 also assist in improving defenses and deterring 

9 cybercrimes. 

10 (7) Congress also acknowledges that many pri¬ 
ll vate entities are increasingly concerned with stem- 

12 ming the growth of dark web based cyber-enabled 

13 crimes. The Department of Justice should attempt 

14 to clarify the proper protocol for entities who are en- 

15 gaged in active cyber defense in the dark web so 

16 that these defenders can return private property 

17 such as intellectual property and financial records 

18 gathered inadvertently. 

19 (8) Congress also recognizes that while Federal 

20 agencies will need to prioritize cyber incidents of na- 

21 tional significance, there is the potential to assist the 

22 private sector by being more responsive to reports of 

23 crime through different reporting mechanisms. Many 

24 reported cybercrimes are not responded to in a time- 
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1 ly manner creating significant uncertainty for many 

2 businesses and individuals. 

3 (9) Computer defenders should also exercise ex- 

4 treme caution to avoid violating the law of any other 

5 nation where an attacker’s computer may reside. 

6 (10) Congress holds that active cyber defense 

7 techniques should only be used by qualified defend- 

8 ers with a high degree of confidence in attribution, 

9 and that extreme caution should be taken to avoid 

10 impacting intermediary computers or resulting in an 

11 escalatory cycle of cyber activity. 

12 (11) It is the purpose of this Act to provide 

13 legal certainty by clarifying the type of tools and 

14 techniques that defenders can use that exceed the 

15 boundaries of their own computer network. 

16 SEC. 3. EXCEPTION FOR THE USE OF ATTRIBUTIONAL 

17 TECHNOLOGY. 

18 Section 1030 of title 18, United States Code, is 

19 amended by adding at the end the following: 

20 “(k) Exception for the Use of Attributional 

21 Technology.— 

22 “(1) This section shall not apply with respect to 

23 the use of attributional technology in regard to a de- 

24 fender who uses a program, code, or command for 

25 attributional purposes that beacons or returns loca- 
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1 tional or attributional data in response to a cyber in- 

2 trnsion in order to identify the source of an intrn- 

3 sion; if— 

4 “(A) the program, code, or command origi- 

5 nated on the computer of the defender but is 

6 copied or removed by an unauthorized user; and 

7 “(B) the program, code or command does 

8 not result in the destruction of data or result 

9 in an impairment of the essential operating 

10 functionality of the attacker’s computer system, 

11 or intentionally create a backdoor enabling in- 

12 trasive access into the attacker’s computer sys- 

13 tern. 

14 “(2) Definition. —The term ‘attributional 

15 data’ means any digital information such as log files, 

16 text strings, time stamps, malware samples, identi- 

17 fiers such as user names and Internet Protocol ad- 

18 dresses and metadata or other digital artifacts gath- 

19 erecl through forensic analysis.”. 

20 SEC. 4. EXCLUSION FROM PROSECUTION FOR CERTAIN 

21 COMPUTER CRIMES FOR THOSE TAKING AC- 

22 TIVE CYBER DEFENSE MEASURES. 

23 Section 1030 of title 18, United States Code, is 

24 amended by adding at the end the following: 
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“(1) Active Cyber Defense Measures Not a 
Violation.— 

“(1) Generally. —It is a defense to a criminal 
prosecution under this section that the conduct con¬ 
stituting the offense was an active cyber defense 
measure. 

“(2) Inapplicability to civil action. —the 
defense against prosecution created by this section 
does not prevent a United States person or entity 
who is targeted by an active defense measure from 
seeking a civil remedy, including compensatory dam¬ 
ages or injunctive relief pursuant to subsection (g). 
“(3) Definitions. —In this subsection— 

“(A) the term ‘defender’ means a person 
or an entity that is a victim of a persistent un¬ 
authorized intrusion of the individual entity’s 
computer; 

“(B) the term ‘active cyber defense meas¬ 
ure’— 

“(i) means any measure— 

“(I) undertaken by, or at the di¬ 
rection of, a defender; and 

“(II) consisting of accessing 
without authorization the computer of 
the attacker to the defender’s own 
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network to gather information in 
order to— 

“(aa) establish attribution of 
criminal activity to share with 
law enforcement and other 
United States Government agen¬ 
cies responsible for cybersecurity; 

“(bb) disrupt continued un¬ 
authorized activity against the 
defender’s own network; or 

“(cc) monitor the behavior 
of an attacker to assist in devel¬ 
oping future intrusion prevention 
or cyber defense techniques; but 
“(ii) does not include conduct that— 
“(I) intentionally destroys or ren¬ 
ders inoperable information that does 
not belong to the victim that is stored 
on another person or entity’s com¬ 
puter; 

“(II) recklessly causes physical 
injury or financial loss as described 
under subsection (c)(4); 

“(III) creates a threat to the 
public health or safety; 
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“(IV) intentionally exceeds the 
level of activity required to perform 
reconnaissance on an intermediary 
computer to allow for attribution of 
the origin of the persistent cyber in¬ 
trusion; 

“(V) intentionally results in in¬ 
trusive or remote access into an 
intermediary’s computer; 

“(VI) intentionally results in the 
persistent disruption to a person or 
entities internet connectivity resulting 
in damages defined under subsection 
(c)(4); or 

“(VII) impacts any computer de¬ 
scribed under subsection (a)(1) re¬ 
garding access to national security in¬ 
formation, subsection (a)(3) regarding 
government computers, or to sub¬ 
section (c)(4)(A)(i)(V) regarding a 
computer system used by or for a 
Government entity for the furtherance 
of the administration of justice, na¬ 
tional defense, or national security; 
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1 “(C) tlie term ‘attacker’ means a person or 

2 an entity that is the source of the persistent un- 

3 authorized intrusion into the victim’s computer; 

4 and 

5 “(h)) the term ‘intermediary computer’ 

6 means a person or entity’s computer that is not 

7 under the ownership or primary control of the 

8 attacker but has been used to launch or obscure 

9 the origin of the persistent cyber-attack.”. 

10 SEC. 5. NOTIFICATION REQUIREMENT FOR THE USE OF AC- 

11 TIVE CYBER DEFENSE MEASURES. 

12 Section 1030 of title 18, United States Code, is 

13 amended by adding the following: 

14 “(m) Notification Requirement for the Use 

15 of Active Cyber Defense Measures.— 

16 “(1) Generally.— A defender who uses an ac- 

17 five cyber defense measure under the preceding sec- 

18 tion must notify the FBI National Cyber Iuvestiga- 

19 tive Joint Task Force and receive a response from 

20 the FBI acknowledging receipt of the notification 

21 prior to using the measure. 

22 “(2) Required information.—N otification 

23 must include the type of cyber breach that the per- 

24 son or entity was a victim of, the intended target of 

25 the active cyber defense measure, the steps the de- 
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1 fender plans to take to preserve evidence of the 

2 attacker’s criminal cyber intrusion, as well as the 

3 steps they plan to prevent damage to intermediary 

4 computers not under the ownership of the attacker 

5 and other information requested by the FBI to as- 

6 sist with oversight.”. 

7 SEC. 6. VOLUNTARY PREEMPTIVE REVIEW OF ACTIVE 

8 CYBER DEFENSE MEASURES. 

9 (a) Pilot Program. —The Federal Bureau of Inves- 

10 tigation (hereinafter in this section referred to as the 

11 “FBI”), in coordination with other Federal agencies, shall 

12 create a pilot program to last for 2 years after the date 

13 of enactment of this Act, to allow for a voluntary preemp- 

14 tive review of active defense measures. 

15 (b) Advance Review.—A defender who intends to 

16 prepare an active defense measure under section 4 may 

17 submit their notification to the FBI National Cyber Inves- 

18 tigative Joint Task Force in advance of its use so that 

19 the FBI and other agencies can review the notification and 

20 provide its assessment on how the proposed active defense 

21 measure may be amended to better conform to Federal 

22 law, the terms of section 4, and improve the technical op- 

23 eration of the measure. 
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1 (c) Prioritization of Requests. —The FBI may 

2 decide how to prioritize the issuance of such guidance to 

3 defenders based on the availability of resources. 

4 SEC. 7. ANNUAL REPORT ON THE FEDERAL GOVERNMENT’S 

5 PROGRESS IN DETERRING CYBER FRAUD 

6 AND CYBER-ENABLED CRIMES. 

7 The Department of Justice, after consultation with 

8 the Department of Homeland Security and other relevant 

9 Federal agencies, shall deliver an annual report to Con- 

10 gross not later than March 31 of each year, detailing the 

11 results of law enforcement activities pertaining to 

12 cybercriminal deterrence for the previous calendar year. 

13 The report shall include— 

14 (1) the number of computer fraud cases re- 

15 ported by United States citizens and United States 

16 businesses to FBI Field Offices, the Secret Service 

17 Electronic Crimes Task Force, the Internet Crimes 

18 Complaint Center (IC3) website, and other Federal 

19 law enforcement agencies; 

20 (2) the number of investigations opened as a re- 

21 suit of public reporting of computer fraud crimes, 

22 and the number of investigations open independently 

23 of any specific crimes being reported; 

24 (3) the number of cyber fraud cases prosecuted 

25 under section 1030 of title 18, United States Code, 
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1 and other related statutes involving cybercrime, in- 

2 eluding the resolution of the cases; 

3 (4) the number of computer fraud crimes deter- 

4 mined to have originated from United States sus- 

5 pects and the number determined to have originated 

6 from foreign suspects, and details of the country of 

7 origin of the suspected foreign suspects; 

8 (5) the number of dark web cybercriminal mar- 

9 ketplaces and cybercriminal networks disabled by 

10 law enforcement activities; 

11 (6) an estimate of the total financial damages 

12 suffered by United States citizens and businesses re- 

13 suiting from ransomware and other fraudulent 

14 cyberattacks; 

15 (7) the number of law enforcement personnel 

16 assigned to investigate and prosecute cybercrimes; 

17 and 

18 (8) the number of active cyber defense notifica- 

19 tions filed as required by this Act and a comprelien- 

20 sive evaluation of the notification process and vol- 

21 untary preemptive review pilot program. 
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1 SEC. 8. REQUIREMENT FOR THE DEPARTMENT OF JUSTICE 

2 TO UPDATE THE MANUAL ON THE PROSECU- 

3 TION OF CYBER CRIMES. 

4 (a) The Department of Justice shall update the 

5 “Prosecuting Computer Crimes Manual” to reflect the 

6 changes made by this legislation. 

7 (b) The Department of Justice is encouraged to seek 

8 additional opportunities to clarify the manual and other 

9 guidance to the public to reflect evolving defensive tecli- 

10 niques and cyber technology that can be used in manner 

11 that does not violate section 1030 of title 18, United 

12 States Code, or other Federal law and international trea- 

13 ties. 

14 SEC. 9. SUNSET. 

15 The exclusion from prosecution created by this Act 

16 shall expire 2 years after the date of enactment of this 

17 Act. 
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